Memory-demanding password scrambling

16Citations
Citations of this article
26Readers
Mendeley users who have this article in their library.

This article is free to access.

Abstract

Most of the common password scramblers hinder passwordguessing attacks by “key stretching”, e.g., by iterating a cryptographic hash function many times. With the increasing availability of cheap and massively parallel off-the-shelf hardware, iterating a hash function becomes less and less useful. To defend against attacks based on such hardware, one can exploit their limitations regarding to the amount of fast memory for each single core. The first password scrambler taking this into account was scrypt. In this paper we mount a cache-timing attack on scrypt by exploiting its password-dependent memory-access pattern. Furthermore, we show that it is possible to apply an efficient password filter for scrypt based on a malicious garbage collector. As a remedy, we present a novel password scrambler called Catena which provides both a password-independent memory-access pattern and resistance against garbage-collector attacks. Furthermore, Catena instantiated with the here introduced (G, λ)-DBH operation satisfies a certain time-memory tradeoff called λ-memory-hardness, i.e., using only 1/b the amount of memory, the time necessary to compute the password hash is increased by a factor of bλ. Finally, we introduce a more efficient instantiation of Catena based on a bit-reversal graph.

Cite

CITATION STYLE

APA

Forler, C., Lucks, S., & Wenzel, J. (2014). Memory-demanding password scrambling. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8874, pp. 289–305). Springer Verlag. https://doi.org/10.1007/978-3-662-45608-8_16

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free